How to disable Jetty Web Server Security Banner in OE Explor

Posted by Tai Li on 21-Apr-2016 01:17

Hi All,

During the internal vulnerability assessment audit, we found out the banner from Jetty is exposing.

Server: Jetty/4.2.9 (Windows Vista/6.1 amd64 java/1.5.0_11)

How can I disable this?

Meantime I will continue to search for answers.

Thank you.

Regards,
Tai Li

OpenEdge RDBMS - Forum
Posted by Tai Li on 10-May-2016 11:43

Hi All,

I have found the solution for Jetty 4.2.x.

Edit \<DLC>\fathom.init.params and append the following line to the end of the page,

org.mortbay.http.Version.paranoid=true

Restart AdminService.

PS: Credit to the friends in Jetty mailing list - http://dev.eclipse.org/mhonarc/lists/jetty-users/msg07012.html.

Thank you.

Regards,
Tai Li

All Replies

Posted by Tai Li on 21-Apr-2016 01:28

I'm looking at solution where only modification to Jetty XML file is enough. (Example: http://attenuated-perspicacity.blogspot.sg/2009/09/jetty-61x-hardening.html) I believe OE Explorer have its own unique way to implement this. Most of the solutions I found online requires coding.

Posted by rkumar on 21-Apr-2016 02:00

Hi Tai,
 
Which version of OpenEdge are you using? Are you talking about the header banner (with “Progress OpenEdge Management”) or something else?
Can you throw some more light on how the vulnerability was identified, and the issues with having the jetty, OS and java version exposed?
 
I also suggest you move this post to the OE Management community section.
 
Regards,
Rohit.
 

Posted by Tai Li on 21-Apr-2016 02:20

Hi Rohit,

Actually is my client. They are using OE10.2B. It is the Jetty server header banner that I'm referring to. You can try the method as shown in this link (http://niiconsulting.com/checkmate/2012/10/disable-iis-7-5-banner-version/). There is no issue with the OE Explorer nor the Jetty. Is just that my client wanted to harden their server.

PS: How do I move this thread?

Thank you.

Regards,
Tai Li

Posted by Rohit Kumar on 21-Apr-2016 03:03

We will check with the Security Architect on this and let you know.

Posted by Libor Laubacher on 21-Apr-2016 04:21

sendServerVersion option is not available in Jetty 4, it's been added in later releases, so one option would be to ugprade

Posted by Tai Li on 21-Apr-2016 04:58

Thank you, [mention:63409131e05f4d26a2beabb24e150ff7:e9ed411860ed4f2ba0265705b8793d05].

Hi [mention:44a028c96ca44788b729e5185220e84a:e9ed411860ed4f2ba0265705b8793d05], I believe sendServerVersion you've mentioned is used in coding. Does Jetty 4 have this similar option in XML configuration file? Thank you.

Regards,

Tai Li

Posted by Libor Laubacher on 21-Apr-2016 06:54

For any parameter you might put into xml file, there has to be a server part to process it and accordingly. I was trying to say that Jetty 4 does not have the option to mask server version.

Using Progress example - you can have a .pf file with -ignoreerrors , but unless the client (prowin32) that uses/reads that .pf knows what to do about it, nothing will happen.

Posted by Tai Li on 21-Apr-2016 21:25

Hi [mention:44a028c96ca44788b729e5185220e84a:e9ed411860ed4f2ba0265705b8793d05], I understand. Thank you so much!

Posted by Tai Li on 10-May-2016 11:43

Hi All,

I have found the solution for Jetty 4.2.x.

Edit \<DLC>\fathom.init.params and append the following line to the end of the page,

org.mortbay.http.Version.paranoid=true

Restart AdminService.

PS: Credit to the friends in Jetty mailing list - http://dev.eclipse.org/mhonarc/lists/jetty-users/msg07012.html.

Thank you.

Regards,
Tai Li

This thread is closed